Analyzing Access Control Configurations

1. A system for analyzing access control, the system comprising: at least one memory; at least one processor; an operating system having resources and principals; an information flow comprising inferred read, write, and execute relations between one or more of the principals and one or more of the resources; an escalation checker configured to determine, based on applying an access control policy model to the inferred read, write, and execute relations of the generated information flow, that one or more privilege escalations are possible; and a vulnerability report indicating that one or more privilege escalations are possible; wherein the vulnerability report comprises one or more hierarchical structures, and wherein each hierarchical structure comprises: a root element identifying a privilege escalation of the one or more privilege escalations; and a derivation comprising one or more non-root elements that are descendants of the root element and identify a source of each of the privilege escalations.

2. The system of claim 1 wherein generating the information flow uses: an operating system-specific component identifying resources and principals; and a component that is general across several operating systems.

3. The system of claim 2 wherein: the operating system-specific component receives access control relations and emits a relationship dataset; and the component that is general across several operating systems receives the relationship dataset and emits the information flow.

4. The system of claim 1 wherein the access control policy model defines system security policies.

5. The system of claim 1 wherein: the vulnerability report is provided in a hierarchical representation; and the vulnerability report identifies a security vulnerability in the operating system or identifies a reason for an identified vulnerability.

6. The system of claim 1 further comprising an access control graph viewer configured to access the vulnerability report and emit a graphical report that illustrates vulnerabilities identified by the vulnerability report.

7. The system of claim 1 wherein: the escalation checker is further configured to determine, based on the generated information flow, whether taint is possible; and the vulnerability report indicates, when taint is possible, that the taint is possible.

8. The system of claim 1 wherein: the escalation checker is further configured to determine, based on the generated information flow, whether integrity can be compromised; and the vulnerability report indicates, when integrity can be compromised, that the integrity can be compromised.

9. The system of claim 1 wherein the information flow identifies relationships between at least one of the principals and at least two of the resources.

10. A method for analyzing access control, the method comprising: generating an information flow comprising relations between one or more principals and one or more resources; determining, based on applying an access control policy model to the relations of the generated information flow, that one or more privilege escalations are possible; and indicating in a vulnerability report that one or more privilege escalations are possible; wherein the vulnerability report comprises one or more hierarchical structures, and wherein each hierarchical structure comprises: a root element identifying a privilege escalation of the one or more privilege escalations; and a derivation comprising one or more non-root elements that are descendants of the root element and identify a source of the privilege escalation identified by the root element.

11. The method of claim 10 wherein the information flow identifies relationships between principals and resources.

12. The method of claim 10 wherein the access control policy model defines system security policies.

13. The method of claim 10 wherein generating the information flow uses an operating system-specific component identifying resources and principals, and a component that is general across several operating systems.

14. The method of claim 13 further comprising: receiving, by the operating system-specific component, access control relations and emitting a relationship dataset; and receiving, by the component that is general across several operating systems, the relationship dataset and emitting the information flow.

15. The method of claim 10 wherein at least one hierarchical structure of the one or more hierarchical structures comprises a tree having at least three levels.

16. The method of claim 15 : wherein each element in the at least one hierarchical structure identifies a privilege; and wherein each element in the derivation of the at least one hierarchical structure identifies a privilege source of the privilege identified in a parent of that element.

17. The method of claim 16 : wherein each element in the derivation of the at least one hierarchical structure identifies the privilege source for that element as at least an element predicate and an element principle; and wherein the element predicate defines how the element principle relates to the privilege identified in the parent of that element.

18. The method of claim 10 wherein the root node of at least one hierarchical structure of the one or more hierarchical structures comprises at least an identification of a resource, an identification of a first principal with an access right to the resource, and an identification of a second principal that can interact with the resource through the access right of the first principal.

19. A computer-readable memory device encoded with computer-executable instructions that, when executed by a computing system, cause the computing system to perform operations for analyzing access control, the operations comprising: generating an information flow comprising inferred read, write, and execute relations between one or more principals and one or more resources; determining, based on applying an access control policy model to the inferred read, write, and execute relations of the generated information flow, that one or more privilege escalations are possible; and indicating in a vulnerability report that one or more privilege escalations are possible; wherein the vulnerability report comprises one or more hierarchical structures, and wherein each hierarchical structure comprises: a root element identifying a privilege escalation of the one or more privilege escalations; and a derivation comprising one or more non-root elements that are descendants of the root element and identify a source of the privilege escalation.

20. The computer-readable memory device of claim 19 wherein the information flow identifies relationships between one of the principals and at least two of the resources.

21. The computer-readable memory device of claim 19 wherein the access control policy model defines system security policies.

22. The computer-readable memory device of claim 19 wherein generating the information flow uses an operating system-specific component identifying resources and principals and a component that is general across several operating systems.

23. The computer-readable memory device of claim 22 wherein: the operating system-specific component receives access control relations and emits a relationship dataset; and the component that is general across several operating systems receives the relationship dataset and emits the information flow.

24. The computer-readable memory device of claim 19 wherein: the operations further comprise determining that taint is possible or that integrity can be compromised; in response to determining that taint is possible, the vulnerability report indicates that taint is possible; and in response to determining that that integrity can be compromised, the vulnerability report indicates that that integrity can be compromised.